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What Is Claimed Is: 

1 1 . A method for emulating computer viruses and/or malicious 

2 software that operates by patching additional program instructions into an 

3 emulator in order to aid in detecting a computer virus and/or malicious software 

4 within suspect code, the method comprising: 

5 receiving the suspect code; 

6 loading the suspect code into an emulator buffer within a data space of a 

7 computer system; 

8 loading a first emulator extension into the emulator, the first emulator 

9 extension including program instructions that aid in the process of emulating the 

10 suspect code in order to detect a computer virus and/or malicious software; 

1 1 performing an emulation using the first emulator extension and the suspect 

12 code, the emulation being performed within an insulated environment in the 

13 computer system so that the computer system is insulated from malicious actions 

14 of the suspect code; and 

1 5 determining whether the suspect code is likely to exhibit malicious 

1 6 behavior based upon the emulation. 

1 2. The method of claim 1 , wherein loading the first emulator 

2 extension into the emulator includes loading the first emulator extension into the 

3 emulator buffer within the emulator; and 

4 wherein performing the emulation includes emulating the program 

5 instructions that comprise the first emulator extension. 

1 3. The method of claim 2, wherein emulating the program 

2 instructions that comprise the first emulator extension causes the emulator to 
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3 examine the suspect code looking for patterns that indicate that the suspect code is 

4 likely to exhibit malicious behavior. 

1 4. The method of claim 2, wherein emulating the program 

2 instructions that comprise the first emulator extension causes the program 

3 instructions within the first emulator extension to facilitate emulation of the 

4 suspect code. 

1 5. The method of claim 1, further comprising emulating the suspect 

2 code prior to loading the first emulator extension into the emulator buffer. 

1 6. The method of claim 1 , further comprising: 

2 loading a second emulator extension into the emulator; and 

3 performing a second emulation using the second emulator extension and 

4 the suspect code. 

1 7. The method of claim 6, wherein the first emulator extension and 

2 the second emulator extension provide support for conflicting emulator 

3 environments. 

1 8. The method of claim 1, wherein loading the first emulator 

2 extension involves loading the first emulator extension from a database containing 

3 a plurality of different emulator extensions. 

1 9. The method of claim 1, wherein the first emulator extension 

2 includes code for decrypting an encrypted computer virus and other encrypted 

3 malicious code. 
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1 10. The method of claim 1 , further comprising if a computer virus or 

2 other malicious software is detected within the suspect code, disinfecting the 

3 suspect code. 

1 11. The method of claim 1, wherein the first emulator extension 

2 facilitates emulating a non-standard computer instruction opcode. 

1 12. The method of claim 1 , wherein the first emulator extension 

2 facilitates emulating an uncommonly used operating system call. 

1 1 3 . A computer-readable storage medium storing instructions that 

2 when executed by a computer cause the computer to perform a method for 

3 emulating computer viruses and/or malicious software that operates by patching 

4 additional program instructions into an emulator in order to aid in detecting a 

5 computer virus and/or malicious software within suspect code, the method 

6 comprising: 

7 receiving the suspect code; 

8 loading the suspect code into an emulator buffer within a data space of a 

9 computer system; 

1 0 loading a first emulator extension into the emulator, the first emulator 

1 1 extension including program instructions that aid in the process of emulating the 

12 suspect code in order to detect a computer virus and/or malicious software; 

1 3 performing an emulation using the first emulator extension and the suspect 

14 code, the emulation being performed within an insulated environment in the 

1 5 computer system so that the computer system is insulated from malicious actions 

1 6 of the suspect code; and 
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1 7 determining whether the suspect code is likely to exhibit malicious 

1 8 behavior based upon the emulation. 

1 14. The computer-readable storage medium of claim 1 3, wherein 

2 loading the first emulator extension into the emulator includes loading the first 

3 emulator extension into the emulator buffer within the emulator; and 

4 wherein performing the emulation includes emulating the program 

5 instructions that comprise the first emulator extension. 

1 15. The computer-readable storage medium of claim 14, wherein 

2 emulating the program instructions that comprise the first emulator extension 

3 causes the emulator to examine the suspect code looking for patterns that indicate 

4 that the suspect code is likely to exhibit malicious behavior. 

1 16. The computer-readable storage medium of claim 14, wherein 

2 emulating the program instructions that comprise the first emulator extension 

3 causes the program instructions within the first emulator extension to facilitate 

4 emulation of the suspect code. 

1 1 7. The computer-readable storage medium of claim 13, wherein the 

2 method further comprises emulating the suspect code prior to loading the first 

3 emulator extension into the emulator buffer. 

1 18. The computer-readable storage medium of claim 13, wherein the 

2 method further comprises: 

3 loading a second emulator extension into the emulator; and 
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1 performing a second emulation using the second emulator extension and 

2 the suspect code. 

1 19. The computer-readable storage medium of claim 1 8, wherein the 

2 first emulator extension and the second emulator extension provide support for 

3 conflicting emulator environments. 

1 20. The computer-readable storage medium of claim 13, wherein 

2 loading the first emulator extension involves loading the first emulator extension 

3 from a database containing a plurality of different emulator extensions. 

1 21 . The computer-readable storage medium of claim 13, wherein the 

2 first emulator extension includes code for decrypting an encrypted computer virus 

3 and other encrypted malicious code. 

1 22. The computer-readable storage medium of claim 1 3, wherein if a 

2 computer virus or other malicious software is detected within the suspect code, 

3 the method further comprises disinfecting the suspect code. 

1 23. The computer-readable storage medium of claim 13, wherein the 

2 first emulator extension facilitates emulating a non-standard computer instruction 

3 opcode. 

1 24. The computer-readable storage medium of claim 13, wherein the 

2 first emulator extension facilitates emulating an uncommonly used operating 

3 system call. 
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1 25. An apparatus that emulates computer viruses and/or malicious 

2 software that operates by patching additional program instructions into an 

3 emulator in order to aid in detecting a computer virus and/or malicious software 

4 within suspect code, the apparatus comprising: 

5 a loading mechanism that is configured to load the suspect code into an 

6 emulator buffer within a data space of a computer system; 

7 wherein the loading mechanism is additionally configured to load a first 

8 emulator extension into the emulator, the first emulator extension including 

9 program instructions that aid in the process of emulating the suspect code in order 

1 0 to detect a computer virus and/or malicious software; 

1 1 an emulation mechanism that is configured to perform an emulation using 

12 the first emulator extension and the suspect code, the emulation being performed 

1 3 within an insulated environment in the computer system so that the computer 

14 system is insulated from malicious actions of the suspect code; and 

1 5 a determination mechanism that is configured to determine whether the 

16 suspect code is likely to exhibit malicious behavior based upon the emulation. 

1 26. The apparatus of claim 25, wherein the loading mechanism is 

2 configured to load the first emulator extension into the emulator buffer within the 

3 emulator; and 

4 wherein the emulation mechanism is configured to emulate the program 

5 instructions that comprise the first emulator extension. 



1 27. The apparatus of claim 26, wherein emulating the program 

2 instructions that comprise the first emulator extension causes the emulation 

3 mechanism to examine the suspect code looking for patterns that indicate that the 

4 suspect code is likely to exhibit malicious behavior. 
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1 28. The apparatus of claim 26, wherein emulating the program 

2 instructions that comprise the first emulator extension causes the emulation 

3 mechanism to facilitate emulation of the suspect code. 

1 29. The apparatus of claim 25, wherein the emulator is configured to 

2 emulate the suspect code prior to loading the first emulator extension into the 

3 emulator buffer. 

1 30. The apparatus of claim 25, wherein the loading mechanism is 

2 additionally configured to: 

3 load a second emulator extension into the emulator; and to 

4 perform a second emulation using the second emulator extension and the 

5 suspect code. 

1 31." The apparatus of claim 30, wherein the first emulator extension 

2 and the second emulator extension provide support for conflicting emulator 

3 environments. 

1 32. The apparatus of claim 25, wherein the loading mechanism is 

2 configured to load the first emulator extension from a database containing a 

3 plurality of different emulator extensions. 

1 33. The apparatus of claim 25, wherein the first emulator extension 

2 includes code for decrypting an encrypted computer virus and other encrypted 

3 malicious code. 
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1 34. The apparatus of claim 25, further comprising a disinfecting 

2 mechanism that is configured to disinfect the suspect code if a computer virus or 

3 other malicious software is detected within the suspect code. 

1 35. The apparatus of claim 25, wherein the first emulator extension is 

2 configured to facilitate emulating a non-standard computer instruction opcode. 

1 36. The apparatus of claim 25, wherein the first emulator extension is 

2 configured to facilitate emulating an uncommonly used operating system call. 
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